Understanding roles and permissions
ThingPark subscribers can set different hierarchical privileges, assigning adequate roles to each end-user accessing the ThingPark subscription based on their real function in the enterprise. This allows avoiding situations where users perform non-authorized actions which may potentially lead to critical functional failures.
The role assigned to each user determines whether they have write permission
on the resources they are authorized to access, for example, update the Device or
Base Station configuration, send administrative O&M commands to a Base Station,
etc. Without write access, users are still allowed to view these resources
in ready-only (viewer) mode.
 Nevertheless, restricting user access to a limited set of Devices or Base
Stations is supported via administrative domains.
To learn more about restricting user access through administrative domains,
see Domains.
When authentication federation is enabled, user accounts must still be provisioned in ThingPark to define the roles and permissions assigned to each user.
ThingPark supports several administrative roles:
- 
Administrator role, with full read/write access privileges, to manage User Accounts, Domains, Service Accounts, Settings, Base Stations, Devices, Relays, Multicast Groups, Connections to customer's IoT applications. 
 Additionally, administrators manage the ThingPark Enterprise license activation and renewal. They may also manage the ThingPark catalogs in self-hosted deployments.
- 
Device, Multicast Group and Connections manager role: read/write access privileges to add, remove and update Devices, Relays, Multicast Groups and Connections matching the user's domain restrictions. 
 Unlike administrators, users associated with only this role cannot manage Base Stations, User Accounts, Service Accounts, Domains or change the subscription's settings.
- 
Base station manager role: full read/write access privileges to add, remove and update base stations matching the user's domain restrictions. Unlike administrators, users associated with only this role cannot manage Devices, Relays, Multicast Groups, Connections, User Accounts, Service Accounts, Domains or change the subscription's settings. 
- 
Viewer role: read-only access to the objects matching the user's domain restrictions. 
The Administrator of the ThingPark subscription can update the roles/permissions of existing users at any time. To learn more, see Managing user accounts
The following table compares roles and permissions supported by ThingPark subscriptions.
When domain restrictions are defined for a non-administrator, the permissions defined below only apply to the resources matching the user's domain restrictions. All other resources are not accessible at all by that user.
| Role | Devices, Relays, Multicast Groups and Connections | Base stations | Subscription management (including users, service accounts and domains) | 
|---|---|---|---|
| Administrator | Full access | Full access | Full access | 
| Devices and Multicast Groups Manager | Full access | Read-only | No access | 
| Base Stations Manager | Read-only | Full access | No access | 
| Viewer | Read-only | Read-only | No access | 
When a non-Administrator is authorized to access a resource (according to their assigned domain restrictions) in read-only mode, the ThingPark user interface deactivates all the user actions related to this resource. For instance, the ADD BASE STATION button is not displayed to a user having read-only access to Base Stations' management. Additionally, all the Operation and Maintenance buttons displayed on the Advanced tab of the base station become deactivated.